Re: [fw-wiz] tunnel vs open a hole
From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 04/08/03
- Previous message: Dave Piscitello: "Re: [fw-wiz] tunnel vs open a hole"
- In reply to: Dave Piscitello: "Re: [fw-wiz] tunnel vs open a hole"
- Next in thread: Adam Shostack: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Frank Knobbe <fknobbe@knobbeits.com> To: Dave Piscitello <dave@corecom.com> Date: 08 Apr 2003 15:34:15 -0500
On Tue, 2003-04-08 at 12:16, Dave Piscitello wrote:
> [...]
> No one discussed the benefits of using an encrypted, authenticated
> tunnel (SSL, SSH, ...), which do provide additional controls.
> [...]
At the same time, some tunnels have certain drawbacks. Depending on what
tunnel you use, you may not know the senders IP address. For example, if
you use SSH to forward ports, you don't get the source's IP address (it
depends how you forward, most of the time the request would be coming
from 127.0.0.1). I'm not sure about ZBD but I believe it works the same
way. You would have to check the SSH/ZBD/yourtunnel logs, but that only
shows you a general connection or the tunnel endpoint, not related or
associateable to the real request (e.g. tcp port or sequence numbers),
or to the host behind the endpoint.
That 'hiding' behind tunnel endpoints can't be a benefit :)
Cheers,
Frank
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Dave Piscitello: "Re: [fw-wiz] tunnel vs open a hole"
- In reply to: Dave Piscitello: "Re: [fw-wiz] tunnel vs open a hole"
- Next in thread: Adam Shostack: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
